Author Archive: Security Labs

The Microsoft Security Response Center (MSRC) is pleased to recognize the security researchers who have helped make Microsoft online services safer by finding and reporting security vulnerabilities. Each name listed represents an individual or company who has privately disclosed one or more security vulnerabilities in our online services and worked with us to remediate the issue.

Both Stefan Schörling and Mattias Borg from SEC-LABS R&D is recognized at the Microsoft Security Response Center security researchers list for August 2018.

This was due to a vulnerability discovered with Johan Dahlbom and was reported to Microsoft.

We would like to give our appreciation to the MSRC team and it was a pleasure working with you to resolve this issue!

It will be good if you add some details in the recommended actions if someone else will take action on the alert, or at least add a pointer to where they can find further information on requred actions. (Information sharing is important).

It’s possible to change this infomation later on.

On the Detection Rule page you can see the alerts and other information regards the detection rule.

All the rules will be listed at the left side in the hunting section.

For further infomation about the new preview features please go to this url:

We started to dig into WordPress config files and realized that it’s very common to create a backup of your config file, which is not a bad idea.

This config file contains the base configuration of a wordpress installation like Database Connection (user name, password, ost) and other sensitive information.

Example

What’s really bad is that some admins seems to store the file in the web root and changed the extension to txt will will be read in the browser.

If we change the file extension to .txt it will be managed by the web server/php interpreter as any other txt file and present the content to the user.

So if we look at one part that exists in the WordPress config file.“define(‘AUTH_KEY’, ‘” and we also have some other phrases like “wp-config.php”.

If you want an idea of how bad it is we can let google sort that out for us using some search operands available.
Since google knows the content of all files it has indexed which are most of them we just search for the content using “intext:” and filter on txt files using “filetype:”

intext:define(‘AUTH_KEY’, ‘ wp-config.php filetype:txt

The result shows about 6000+ results (and probably some false positives in the results).

This file is not something that would be read by the user and you should not be able to download the php file either ;).

What you need to do

Don’t place sensitive files in the web root that doens’t have to be there

Configure permissions

Definitely don’t place backup files in the webroot, in case you don’t have to temporarily to reinstall a web application but otherwise, keep them away from the internet

If you need permission to do X you should only have access to do X and not several other things.

That’s why you should define the roles and reponsibilities in your organization to make sure you can apply a least privilege strategy.

Many products supports RBAC and should be used.

Working with Roles in Windows Defender ATP is very simple. You can enable it in Settings menu.

Settings > Roles > Enable Roles

The Global administrator role is added by default and have full permissions which can’t be changed.

Creating Roles

It’s not a bad idea to create a few roles, even if it’s just ju who are the complete security team. One reason is organizational changes and one important reason is that we don’t want people to work as global administrators.

A while ago Microsoft released the Threat Hunting capatibilities in WD ATP.

This is a great feature since you’re able to query a lot of things across your devices.

Example scenario:

Let’s say you receive IoC’s for an ongoing attack or investigate threat actors with known files or IP’s you can Query these IoC’s on both on-prem devices and devices which only exists on the internet and never in the office.

That’s one of the benefits of using cloud security services.

As we wrote in the last post it’s now possible to onboard older operating systems like Windows 7 and Windows 8.1. There is also possible to onboard Linux systems and Macs

Threat Hunting

The hunting capatibilities in WD ATP involves running queries and you’re able to query almost everything which can happen in the Operating System.

If you’re familiar with Sysinternals Sysmon your will recognize the a lot of the data which you can query.

The query language is very similar to Splunk and adoption to these queries should be straight forward
ProcessCreationEvents
| where EventTime > ago(30d)
| where FileName in~ ("powershell.exe", "powershell_ise.exe")
| where ProcessCommandLine has "Net.WebClient"
or ProcessCommandLine has "DownloadFile"
or ProcessCommandLine has "Invoke-WebRequest"
or ProcessCommandLine has "Invoke-Shellcode"
or ProcessCommandLine has "Invoke-Mimikatz"
or ProcessCommandLine has "http:"
| project EventTime, ComputerName, InitiatingProcessFileName, FileName, ProcessCommandLine
| top 100 by EventTime

Use “Project” to select which columns you want in the output and you can export the result to a spreadsheet.

In the above example we ran a query to find malicious powershell commands being executed.

You can also, for example, query all powershell executions from Office applications
ProcessCreationEvents
| where EventTime > ago(14d)
| where ProcessCommandLine has "powershell"
| where InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "powerpoint.exe")

You can also use the quick search to finns URL’s, File hashes, IPs

The output will show you hits in organization and prevalance world wide which will give you more indication of a threat.

When we search for a filehash we can also submit the file for deeper analysis.

Today Microsoft announced that it’s now possible to onboard older legacy operatingsystems to ATP (Advanced Threat Protection) when the public preview that is available.

Windows 7 SP1 Enterprise

Windows 7 SP1 Pro

Windows 8.1 Pro

Windows 8.1 Enterprise

Even though we Always recommend using the latest versions there might be scenarios where you need the advanced detection and response capatibilities and of ATP and it’s not possible to upgrade the machines.

The difference between Windows 10 and the older versions is that is not built-in and you have to install an Microsoft Monitoring agent which will connect to your workspace and report the sensor data.

Email Forwarding is a challenge when it comes to modern attacks, and it was recently used as one of the tools in a crimecase in Sweden. Basically the attackers forwarded all emails from the victims to themselves to be able to track the victims very easily and to gain insights and data for social engineering attacks. Multifactor auth via e-mail or password reset links where obtained and could easly be used to manipulate and gain access.

Email forwarding can be created in Outlook or the the web application (OWA) by the users or an attacker with access to a user account.

The solution for this is very easy.
You can block email forwarding and redirects in general and allow it where it’s necessary (if you do have that scenario).

We often talk about risks only in term.s of potential loss, but most risks have the potential for gain too. To manage cybersecurity as a business risk, we need to better understand the opportunities and risks of key business drivers The post Managing cybersecurity like a business risk: Part 1—Modeling opportunities and threats appeared first […]

Microsoft identity engineering has expanded product partnerships to help customers transform digitally with Azure AD-integrated solutions. The post 4 identity partnerships to help drive better security appeared first on Microsoft Security.

As secure remote work becomes the new normal, Microsoft security and Zscaler provide guidance on enabling Zero Trust starting with secure access. The post Zero Trust and its role in securing the new normal appeared first on Microsoft Security.

5 questions that will help you select open source software and 4 recommendations to smooth the internal approval process. Advice from the RSA 2020 panel discussion, Open Source: Promise, Perils and the Path Ahead. The post Build support for open source in your organization appeared first on Microsoft Security.

Your network is unique. It’s a living, breathing system evolving over time. The applications and users performing these actions are all unique parts of the system, adding degrees of disorder and entropy to your operating environment. The post Success in security: reining in entropy appeared first on Microsoft Security.

If an internet-connected device performs a non-critical function, why does it need to be highly secured? Because any device can be the target of a hacker, and any hacked device can be weaponized. The post Cybersecurity best practices to implement highly secured devices appeared first on Microsoft Security.

As part of this week’s Build virtual event, we’re introducing new Identity innovation to help foster a secure and trustworthy app ecosystem, as well as announcing a number of new capabilities in Azure to help secure customers. The post Microsoft Build brings new innovations and capabilities to keep developers and customers secure appeared first on […]

Cybersecurity provides the underpinning to operationally resiliency as more organizations adapt to enabling secure remote work options, whether in the short or long term. The post Operational resilience in a remote work world appeared first on Microsoft Security.

While the world faces the common threat of COVID-19, defenders are working overtime to protect users all over the globe from cyber-criminals using COVID-19 as a lure to mount attacks. The post Open-sourcing new COVID-19 threat intelligence appeared first on Microsoft Security.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.AcceptRead More